DEV Community

Marco Platzer
Marco Platzer

Posted on

3

Creating a Custom Role for Secure Bicep Deployments in Azure

When deploying Azure resources with Bicep, you might have encountered the need for elevated permissions to create role assignments. By default, assigning roles during deployments requires high-level permissions like Owner at the subscription or resource group level. This setup can be concerning, as it grants more permissions than are necessary for the task.

To tackle this, I created a custom Azure role that has just the required permissions for creating role assignments. This ensures deployments remain secure and adhere to the principle of least privilege.

Why Use a Custom Role?

Instead of assigning broad roles like Owner or Contributor, a custom role enables you to:

  1. Limit permissions to only what’s necessary.
  2. Improve security by minimizing access rights.
  3. Maintain compliance with organizational governance policies.

Here’s how you can create a custom role that allows Bicep deployments to create role assignments without requiring Owner access.

Step-by-Step Guide to Creating the Custom Role

To create the custom role, you can use the Azure PowerShell module. Below is a script that defines and deploys the custom role.

# Define a new custom role with the required permissions
$role = Get-AzRoleDefinition Contributor
$role.Id = $null # Set ID to null to define a new role
$role.Name = "Role Assignment Creator"
$role.Description = "Can create role assignments during ARM/Bicep deployments"
$role.Actions.Clear() # Clear inherited permissions
$role.NotActions.Clear() # Clear inherited NotActions
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
$role.Actions.Add("Microsoft.Resources/deployments/write")
$role.Actions.Add("Microsoft.Resources/deployments/read")
$role.Actions.Add("Microsoft.Resources/deployments/operationStatuses/read")
$role.AssignableScopes.Clear() # Clear existing scopes
$role.AssignableScopes.Add("/subscriptions/<subscriptionID>") # Replace <subscriptionID> with your subscription ID

# Create the custom role definition
New-AzRoleDefinition -Role $role

# Verify the new role definition
Get-AzRoleDefinition -Name "Role Assignment Creator"

Enter fullscreen mode Exit fullscreen mode

Key Permissions Explained

Microsoft.Authorization/roleAssignments/write allows the creation of role assignments.
Microsoft.Resources/deployments/write grants permission to create deployments.
Microsoft.Resources/deployments/read enables read access to deployments.
Microsoft.Resources/deployments/operationStatuses/read allows reading deployment operation statuses.

These actions cover the necessary permissions for Bicep deployments involving role assignments, without granting broader access like Owner.

Assigning the Custom Role

After creating the role, you can assign it to a specific user, group, or service principal using the Azure portal, CLI, or PowerShell.

New-AzRoleAssignment -ObjectId <principalId> -RoleDefinitionName "Role Assignment Creator" -Scope "/subscriptions/<subscriptionID>"
Enter fullscreen mode Exit fullscreen mode

Replace <principalId> with the object ID of the user or service principal you want to assign the role to.

Creating a custom role like this provides a more secure and fine-grained approach to handling deployments in Azure. By defining the exact permissions needed, you can minimize security risks and ensure compliance with best practices.

If you have similar requirements or insights into role definitions, feel free to share in the comments!

Billboard image

Monitor more than uptime.

With Checkly, you can use Playwright tests and Javascript to monitor end-to-end scenarios in your NextJS, Astro, Remix, or other application.

Get started now!

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay